Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help

User Tag List

How to Restore Files & Folders Hidden by Malware?

This is a discussion on How to Restore Files & Folders Hidden by Malware? within the Virus/Trojan/Spyware Help forums, part of the Tech Support Forum category. BRIEF DESCRIPTION OF MY ISSUE I took my laptop out to work remotely using my phone as a tether. The


Closed Thread
 
Thread Tools Search this Thread
Old 05-26-2020, 11:19 PM   #1
Registered Member
 
Join Date: May 2020
Posts: 9
OS:



BRIEF DESCRIPTION OF MY ISSUE
I took my laptop out to work remotely using my phone as a tether. The tethered connected worked just fine, but my laptop could not pick up the signal for some reason and so my phone was not detected as one of the internet access points. I spent time with it but still could not get my phone to show up as one of the internet access points.

When I got back home, it looked like I lost all of my Word files, downloads, everything. I haven't been able to access these files for over a week now. I think, I hope that it's just a case of malware hiding my files from me. Step by step, can you help me with a reliable, tried and true procedure to recover my files?

All of my former Word 2013 docs are missing. The file itself exists on this “shell” of an OS as do the other MS suites. But they’re not populated. All of the documents I’ve accumulated over the last 6 years are missing. Ditto for all of my downloads. The download file exists; it’s just that it’s not populated with the stuff I’ve saved over the same period. It goes without saying that I need both my Word docs and my downloads.

See attachments.
Attached Files
File Type: txt Addition.txt (46.6 KB, 4 views)
File Type: txt FRST.txt (151.5 KB, 3 views)
gabriel51 is offline  
Sponsored Links
Advertisement
 
Old 05-27-2020, 01:23 AM   #2
Moderator
Security Team
 
Gary R's Avatar
 
Join Date: Jul 2008
Location: Yorkshire
Posts: 744
OS: W10, W8.1, Mint Cinnamon 19.2, MX Linux



Looking over your FRST logs now, this can sometimes take a while, so please be patient, I'll be back ASAP when I've finished.

Question ... did you pay for BitDefender, or is the copy installed the free version ?
__________________
Gary R is offline  
Old 05-27-2020, 01:38 AM   #3
Moderator
Security Team
 
Gary R's Avatar
 
Join Date: Jul 2008
Location: Yorkshire
Posts: 744
OS: W10, W8.1, Mint Cinnamon 19.2, MX Linux



OK, back sooner than expected, and that's because I found the following in your FRST.txt log ...

Quote:
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 24-05-2020 01
Ran by mwalg_000 (administrator) on MONEYMAKER (Dell Inc. Inspiron 5737) (26-05-2020 18:16:52)
Running from C:\Users\TEMP\Documents
Loaded Profiles: mwalg_000 <==== ATTENTION (Temporary Profile?)
... which tells me that your computer is booted to a temporary profile.

This can happen either when your User profile gets corrupted duriing normal usage (which although rarely, does happen from time to time), or when Malware deliberately corrupts it.

So, the first thing we need to establish is which it is.

So ..... please do the following ....
  • Right click Start and select Shutdown or sign out > Restart and allow your computer to completely power down.
  • When your computer has finished restarting see if your problem is still present.
  • If it is, repeat the process another 3 times, each time making the same restart selection.
  • Please let me know what happens.
__________________
Gary R is offline  
Sponsored Links
Advertisement
 
Old 05-27-2020, 07:37 AM   #4
Registered Member
 
Join Date: May 2020
Posts: 9
OS:



Bit Defender is the free version.

I will attempt your instructions now.
gabriel51 is offline  
Old 05-27-2020, 07:54 AM   #5
Moderator
Security Team
 
Gary R's Avatar
 
Join Date: Jul 2008
Location: Yorkshire
Posts: 744
OS: W10, W8.1, Mint Cinnamon 19.2, MX Linux



OK, talk to you once you've tried the restarts.
__________________
Gary R is offline  
Old 05-27-2020, 08:25 AM   #6
Registered Member
 
Join Date: May 2020
Posts: 9
OS:



Well, the first restart attempt took almost 20 minutes to restart.

When the desktop finally loaded, the score or so of programs on there reverted to default display.

The default browser is now MS Edge. I generally set Chrome as my default browser. Oh, and the first web page that opened, an MS Edge page without any URL, had a tab that read "Web Threat Blocked."

Everything is slow. So, yes, problem still persists.

I will try this 3 more times.
gabriel51 is offline  
Old 05-27-2020, 08:48 AM   #7
Moderator
Security Team
 
Gary R's Avatar
 
Join Date: Jul 2008
Location: Yorkshire
Posts: 744
OS: W10, W8.1, Mint Cinnamon 19.2, MX Linux



OK, talk to you when you're finished.
__________________
Gary R is offline  
Old 05-27-2020, 09:12 AM   #8
Registered Member
 
Join Date: May 2020
Posts: 9
OS:



The 2nd restart took only 5 minutes to load, so that was promising.

On the 3rd restart, everything returned to normal . . . well, my normal. Downloads, Word 2013 files, everything on the desktop repopulated to where I'd left it.

How, er, why did this work, the three restarts?

Wow! Can't believe it worked. Just, wow!

Thank you so much, Gary R. Terrific.

I'd better get an external drive to save ALL of my files just in case. Do you have a recommendation for that?

And my computer still runs a little slow. I wonder what the best approach is to improve that.

But thank you so much. This is a huge relief. Thank you, Gary.
gabriel51 is offline  
Old 05-27-2020, 10:04 AM   #9
Moderator
Security Team
 
Gary R's Avatar
 
Join Date: Jul 2008
Location: Yorkshire
Posts: 744
OS: W10, W8.1, Mint Cinnamon 19.2, MX Linux



Glad to hear you got your files back.

To be honest I'm not exactly sure why it sometimes takes 3 or 4 tries before a corrupted User profile gets repaired, I just know that it does sometimes take that long.

Can you please run a new scan with FRST, and attach the new FRST.txt and Addition.txt logs so I can see whether there's anything untoward that needs attending to. Could be it might provide an explanation to why your computer is running slowly.

As far as backups go, I store mine on a detachable hard drive which I plug in via USB. I don't recommend USB flash drives because they're not reliable and have a habit of failing when you need them not to.
__________________
Gary R is offline  
Old 05-27-2020, 01:23 PM   #10
Registered Member
 
Join Date: May 2020
Posts: 9
OS:



Gary,

Sorry for the delay. My work schedule is such that I had to sleep earlier and I am heading out to work in a few minutes. I started the scan. If it finishes before I leave, I'll get it to you. Thank you very much for your remarkable efforts, man.

Gabriel
gabriel51 is offline  
Old 05-27-2020, 04:03 PM   #11
Moderator
Security Team
 
Gary R's Avatar
 
Join Date: Jul 2008
Location: Yorkshire
Posts: 744
OS: W10, W8.1, Mint Cinnamon 19.2, MX Linux



No problem, don't rush.

It's now midnight where I am, and I'll be busy tomorrow morning, so it will be tomorrow afternoon (my time British Summer Time) before I get a chance to look at your new logs.
__________________
Gary R is offline  
Old 05-27-2020, 10:24 PM   #12
Registered Member
 
Join Date: May 2020
Posts: 9
OS:



Well, looks like there's a new problem. I've scanned my computer twice with the Farbar Recovery tool and received this message both times:

Sorry, you have been blocked
You are unable to access platforumedge2.network
Why have I been blocked?
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.

What can I do to resolve this?
You can email the site owner to let them know you were blocked. Please include what you were doing when this page came up and the Cloudflare Ray ID found at the bottom of this page.

Cloudflare Ray ID: 59a52bcbb8bec7cd
Your IP: 67.166.22.61
Performance & security by Cloudflare.

Not sure what to do.
gabriel51 is offline  
Old 05-28-2020, 02:55 AM   #13
Moderator
Security Team
 
Gary R's Avatar
 
Join Date: Jul 2008
Location: Yorkshire
Posts: 744
OS: W10, W8.1, Mint Cinnamon 19.2, MX Linux



Did you get this message when you ran FRST, or when you tried to attach the logs here at TSF ?

If it was when you tried attaching the logs here at TSF, please try the following ...
  • Right click on your FRST.txt log, and select Send to then Compressed (zipped) folder
  • Repeat for your Addition.txt log
  • Now try attaching them to your next post.

If it was when you ran FRST, let me know because it may mean we need to run a scan in Recovery Environment to see if you have a Malicious Rootkitted file present.
__________________
Gary R is offline  
Old 05-28-2020, 06:04 AM   #14
Registered Member
 
Join Date: May 2020
Posts: 9
OS:



You got it--it was when I tried to attach the logs here at TSF.
Attached Files
File Type: zip FRST.zip (27.3 KB, 2 views)
File Type: zip Addition.zip (16.0 KB, 3 views)
gabriel51 is offline  
Old 05-28-2020, 09:10 AM   #15
Moderator
Security Team
 
Gary R's Avatar
 
Join Date: Jul 2008
Location: Yorkshire
Posts: 744
OS: W10, W8.1, Mint Cinnamon 19.2, MX Linux



Looking over your new logs now, I'll be back as soon as I've finished.
__________________
Gary R is offline  
Old 05-28-2020, 02:56 PM   #16
Moderator
Security Team
 
Gary R's Avatar
 
Join Date: Jul 2008
Location: Yorkshire
Posts: 744
OS: W10, W8.1, Mint Cinnamon 19.2, MX Linux



After looking through your latest logs, there's few things I need to discuss with you, and a few things that need attending to.

First ....

Your log shows that you had 76 chrome.exe processes running at the time the scan was made ...

Quote:
(Google LLC -> Google LLC) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe <76>
... so either you had an inordinately large number of tabs open, or there's something wrong with Chrome, possibly an infection.

Next ....

You have a large number of sites that you have allowed to send you notifications in Chrome ...

Quote:
CHR Notifications: Default -> hxxps://aei-push.os.tc; hxxps://app.gotowebinar.com; hxxps://calendar.google.com; hxxps://drive.google.com; hxxps://learnbuildearn.os.tc; hxxps://mentalfloss.com; hxxps://mg.mail.yahoo.com; hxxps://pulse.tenstreet.com; hxxps://sidehustleschool.com; hxxps://thepodcastfactory.pushconnectnotify.net; hxxps://tomshardware.onesignal.com; hxxps://us-mg5.mail.yahoo.com; hxxps://www.aei.org; hxxps://www.businessnewsdaily.com; hxxps://www.cyberlink.com; hxxps://www.earlytorise.com; hxxps://www.harryanddavid.com; hxxps://www.investors.com; hxxps://www.moneytalksnews.com; hxxps://www.nestmann.com; hxxps://www.princetonreview.com; hxxps://www.tomshardware.com
... please check through them to see whether they are all sites that you have allowed. Notifications can be used as a vehicle to hijack Chrome.

Next ....

You have a large number of extensions installed on Chrome, this will greatly affect it's performance. Most of them appear to be legit, however it's not really a good idea to have so many extensions, even legit ones.

The extensions I've listed below, each raised questions when I researched them, and unless you specifically know them to be from legit sources, I would recommend you uninstall them ...

Quote:
CHR Extension: (Google Search) - C:\Users\mwalg_000\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-27]
CHR Extension: (AutoCAD 360) - C:\Users\mwalg_000\AppData\Local\Google\Chrome\User Data\Default\Extensions\dcjeclnkejmbepoibfnamioojinoopln [2014-10-24]
CHR Extension: (Application Launcher for Drive (by Google)) - C:\Users\mwalg_000\AppData\Local\Google\Chrome\User Data\Default\Extensions\lmjegmlicamnimmfhcmpkclmigmmcbeh [2014-11-16]
CHR Extension: (Chrome Web Store Payments) - C:\Users\mwalg_000\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2019-10-05]
CHR Extension: (Floor Plan Creator) - C:\Users\mwalg_000\AppData\Local\Google\Chrome\User Data\Default\Extensions\ogbnemfckmdpkeeccieeahplnemmbcfg [2014-10-24]
CHR Extension: (Chrome Media Router) - C:\Users\mwalg_000\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2020-05-27]
CHR HKU\S-1-5-21-1478717658-117861286-2969353822-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh]
... see ... https://www.timeatlas.com/uninstall-chrome-extensions/

Next ....
  • Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....
  • Press Ctrl+y (Ctrl and y keys at the same time)
  • A blank randomly named .txt Notepad file will open.
  • Copy and paste the following into it ....
Code:
SystemRestore: On
CreateRestorePoint:
VirusTotal: C:\ProgramData\SharewareOnSale Notifier\SharewareOnSale Notifier.exe
HKU\S-1-5-21-1478717658-117861286-2969353822-1001\...\MountPoints2: {3cb648ce-c1e5-11e8-8095-74867a530035} - "F:\LG_PC_Programs.exe"
Task: {2DDFA6AC-B14C-4397-9F40-2618043A837C} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {3049ABA0-C946-4459-865A-9CC83C015304} - System32\Tasks\G2MUploadTask-S-1-5-21-1478717658-117861286-2969353822-1001 => C:\Users\TEMP\AppData\Local\GoToMeeting\17359\g2mupload.exe <==== ATTENTION
Task: {32F35C06-6ABD-475C-8DEC-151E0C87C725} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {34FC0AA2-4088-4048-A226-AAA119BE3AEE} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {404D06B3-DDC5-4588-9E76-3A75E872DFF6} - System32\Tasks\G2MUpdateTask-S-1-5-21-1478717658-117861286-2969353822-1001 => C:\Users\TEMP\AppData\Local\GoToMeeting\17359\g2mupdate.exe <==== ATTENTION
Task: {481B354C-393C-41AF-8B82-ACE79F49905E} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {725D36D3-39EC-452B-B574-18D231103B59} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {76AF4BC1-7E80-4BB2-9D8E-D0ACDE0CB319} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {7AE74350-285C-4119-8B0C-70309C429E52} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {93B3F208-13A4-4928-9A63-6F77B7811DBF} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {9F9CE659-0968-46C0-B7CA-FCC90C4F08A6} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {AE641A21-6ABA-4D51-B2A9-52EACC092FD9} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION
Task: {CC5786D6-71E3-45FF-A5C3-1E852AF3C8D8} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {E534A6C3-3675-4520-BCC0-9A6424B24DCA} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: C:\WINDOWS\Tasks\G2MUpdateTask-S-1-5-21-1478717658-117861286-2969353822-1001.job => C:\Users\TEMP\AppData\Local\GoToMeeting\17359\g2mupdate.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\G2MUploadTask-S-1-5-21-1478717658-117861286-2969353822-1001.job => C:\Users\TEMP\AppData\Local\GoToMeeting\17359\g2mupload.exe <==== ATTENTION
SearchScopes: HKLM -> DefaultScope {41AD9944-DAD6-4794-830D-5DCF36C9A8D8} URL = 
SearchScopes: HKLM -> {41AD9944-DAD6-4794-830D-5DCF36C9A8D8} URL = 
SearchScopes: HKLM-x32 -> DefaultScope {006ee092-9658-4fd6-bd8e-a21a348e59f5} URL = 
SearchScopes: HKU\S-1-5-21-1478717658-117861286-2969353822-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-1478717658-117861286-2969353822-1001 -> {0b4d26f6-61a8-4463-99dd-5f2fe0400fa6} URL = 
SearchScopes: HKU\S-1-5-21-1478717658-117861286-2969353822-1001 -> {41AD9944-DAD6-4794-830D-5DCF36C9A8D8} URL = 
Toolbar: HKU\S-1-5-21-1478717658-117861286-2969353822-1001 -> No Name - {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} -  No File
Toolbar: HKU\S-1-5-21-1478717658-117861286-2969353822-1001 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
AlternateDataStreams: C:\Users\mwalg_000\Desktop\skitchsetup-2.3.1.168.exe:BDU [0]
AlternateDataStreams: C:\Users\mwalg_000\Downloads\Greenshot-INSTALLER-1.1.9.13.exe:BDU [0]
AlternateDataStreams: C:\Users\mwalg_000\Downloads\jing.exe:BDU [0]
IE trusted site: HKU\S-1-5-21-1478717658-117861286-2969353822-1001\...\genieo.com -> hxxp://search.genieo.com
IE trusted site: HKU\S-1-5-21-1478717658-117861286-2969353822-1001\...\localhost -> localhost
IE trusted site: HKU\S-1-5-21-1478717658-117861286-2969353822-1001\...\webcompanion.com -> hxxp://webcompanion.com
FirewallRules: [{07F9F723-A030-4065-B11D-32025E29967B}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe => No File
FirewallRules: [{32F9DB7E-A542-4083-B309-A6BC9847F47E}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe => No File
FirewallRules: [{4FB70716-497C-414B-9777-598D39E82704}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe => No File
FirewallRules: [{00D635ED-F818-4E13-B4A2-DF572BB09A18}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe => No File
FirewallRules: [{C5988234-DF9A-47FF-B3E2-AC9C53E0B609}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD10\PowerDVD10.EXE => No File
FirewallRules: [{E451E5F2-F781-4B72-AA83-0742D5580675}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD10\PowerDVD Cinema\PowerDVDCinema10.exe => No File
FirewallRules: [{1EE52CF3-71EC-4281-AD98-07B2DB2CB9B4}] => (Allow) C:\Users\mwalg_000\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe => No File
FirewallRules: [{D5594A63-2418-4854-A49F-886BC5FFAEBA}] => (Allow) C:\Users\mwalg_000\AppData\Roaming\Dropbox\bin\Dropbox.exe => No File
FirewallRules: [{732B90D5-10F7-42AD-8120-8E014E42BB70}] => (Allow) C:\Users\mwalg_000\AppData\Roaming\Dropbox\bin\Dropbox.exe => No File
FirewallRules: [{7CF59742-8EBE-470F-BF76-78F1AF74A28B}] => (Allow) C:\Program Files (x86)\Tencent\QQIntl\Bin\QQ.exe => No File
FirewallRules: [{B0F75A75-F423-4236-9764-01A948BA1B35}] => (Allow) C:\Program Files (x86)\Tencent\QQIntl\Bin\QQ.exe => No File
FirewallRules: [TCP Query User{1B7E407C-C3C0-4FB3-A6F5-3D21F47D4FDB}C:\program files (x86)\tencent\qqintl\bin\qq.exe] => (Allow) C:\program files (x86)\tencent\qqintl\bin\qq.exe => No File
FirewallRules: [UDP Query User{3A186174-3B86-415C-AF3F-DC6055AE9953}C:\program files (x86)\tencent\qqintl\bin\qq.exe] => (Allow) C:\program files (x86)\tencent\qqintl\bin\qq.exe => No File
FirewallRules: [{7B9C13B1-1114-4F66-91FD-B607841AAF1E}] => (Allow) C:\Program Files\CyberLink\PowerDirector14\PDR10.EXE => No File
EmptyTemp:
Hosts:
Cmd: ipconfig /flushdns
  • Press Ctrl+s to save fixlist.txt
NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system
  • Now press the Fix button once and wait.
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt in the same folder/directory as FRST64.exe
  • Please post me the log, answer any questions I asked, and let me know how your computer is behaving now.
__________________
Gary R is offline  
Old 06-02-2020, 02:27 PM   #17
Moderator
Security Team
 
Gary R's Avatar
 
Join Date: Jul 2008
Location: Yorkshire
Posts: 744
OS: W10, W8.1, Mint Cinnamon 19.2, MX Linux



Due to lack of response for 5 days, I presume that you no longer need my help, so .....

THIS TOPIC IS NOW CLOSED
__________________
Gary R is offline  
Closed Thread

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 04:00 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts